5 Powerful Botnets Found Exploiting Unpatched GPON Router Flaws

Within just 10 days of the disclosure of two critical vulnerabilities in GPON router at least 5 botnet families have been found exploiting the flaws to build an army of million devices.

Security researchers from Chinese-based cybersecurity firm Qihoo 360 Netlab have spotted 5 botnet families, including Mettle, Muhstik, Mirai, Hajime, and Satori, making use of the GPON exploit in the wild.

As detailed in our previous post, Gigabit-capable Passive Optical Network (GPON) routers manufacturer by South Korea-based DASAN Zhone Solutions have been found vulnerable to an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws that eventually allow remote attackers to take full control of the device.

Shortly after the details of the vulnerabilities went public, 360 Netlab researchers warned of threat actors exploiting both the flaws to hijack and add the vulnerable routers into their botnet malware networks.

Now, the researchers have published a new report, detailing 5 below-mentioned botnet families actively exploiting these issues:

Mettle Botnet — Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.

Muhstik Botnet — This botnet was initially discovered just last week when it was actively exploiting a critical Drupal flaw, and now the latest version of Muhstik has been upgraded to exploit GPON vulnerabilities, along with flaws in JBOSS and DD-WRT firmware.

Mirai Botnet (new variants) — GPON exploit has also been integrated into a few new variants (operated by different hacking groups) of the infamous Mirai IoT botnet, which was first emerged and open-sourced in 2016 after it was used to launch record-breaking DDoS attacks.

Hajime Botnet — Another infamous IoT botnet, Hajime, has also been found adding GPON exploit to its code to target hundreds of thousands of home routers.

Satori Botnet — The infamous botnet that infected 260,000 devices in just 12 hours last year, Satori (also known as Okiru) has also been observed to include GPON exploit in its latest variant.

Researchers at vpnMentor, who discovered GPON vulnerabilities, already reported the issues to the router manufacturer, but the company hasn’t yet released any fix for the issues, neither researchers believe that any patch is under development, leaving millions of their customers open to these botnet operators.

What’s worse? A working proof-of-concept (PoC) exploit for GPON router vulnerabilities has already been made available to the public, making its exploitation easier for even unskilled hackers.

So, until the company releases an official patch, users can protect their devices by disabling remote administration rights and using a firewall to prevent outside access from the public Internet.

Making these changes to your vulnerable routers would restrict access to the local network only, within the range of your Wi-Fi network, thus effectively reducing the attack surface by eliminating remote attackers.

If you are unsure about these settings, vpnMentor has also provided a simple online tool that automatically modifies your router settings on your behalf, though we do not encourage users to run any third-party scripts or patches on their devices.

Instead, users should either wait for official fixes by the router manufacturer or apply changes manually, when possible.